๐Ÿ› DCSA ยท NISP ยท Facility Clearance

DCSA NISP Compliance Guide

Everything cleared defense contractors need to know about the DCSA National Industrial Security Program โ€” facility clearance tiers, FOCI mitigations, classified contract handling, DD Form 254, and DCSA portal onboarding.

NISP
Program
5
FOCI Methods
4
FCL Levels

What Is the DCSA National Industrial Security Program?

The National Industrial Security Program (NISP) is the framework established by Executive Order 12829 under which the U.S. government protects classified information held by cleared defense contractors. The Defense Counterintelligence and Security Agency (DCSA) โ€” formed in 2020 from the merger of DSS and part of DCIO โ€” administers NISP on behalf of over 13,000 cleared facilities across the defense industrial base.

Unlike CMMC (which governs CUI handling under DoD contracts), NISP governs the handling of classified information โ€” material marked Secret, Top Secret, or Sensitive Compartmented Information (SCI). If your company performs work on classified contracts or stores classified material, NISP compliance is mandatory, not optional.

CMMC vs. NISP โ€” Different Programs, Both Required

CMMC and NISP serve different purposes and apply to different information types. CMMC covers CUI (Controlled Unclassified Information) under DoD's cybersecurity program. NISP covers classified information under DCSA's industrial security program. If you handle both CUI and classified information, you need both programs. DefenseBizStack covers both: see the CMMC Phase 2 guide for the cybersecurity side and this guide for the classified side.

DCSA's role includes:

AI-Generated Content Notice

This guide was authored with AI assistance. DCSA NISP requirements are complex, facility-specific, and subject to DCSA policy updates. All guidance should be verified with your assigned Industrial Security Representative (ISR) and against the current NISPOM at dcsa.mil.

Facility Clearance Tiers

Facility Clearance (FCL) is the approval granted to a contractor to access classified information. FCL is granted at one of four levels, each authorizing access to a corresponding level of classified information. The clearance is issued to the facility, not to individuals โ€” individual personnel need their own Personnel Clearance (PCL) in addition to working at a cleared facility.

The first step in NISP compliance is determining the clearance level your facility needs, based on the classified work you perform or expect to perform.

FCL Level Access Authorization Typical Use Cases Eligibility Requirement
Confidential / Secret Level 1 โ€“ Confidential Day-to-day classified contract work at the Secret or lower level. Most common FCL for subcontractors and vendors. U.S. citizenship for key managers; no disqualifying foreign influence; CAGE code required
Secret Level 2 โ€“ Secret Contracts involving Secret classified information. Common across defense manufacturing, IT, and engineering. Same as Level 1; FOCI determination required if any foreign ownership exists
Top Secret Level 3 โ€“ Top Secret Programs requiring access to Top Secret or "Secret with Special Access" information. Requires more extensive vetting. Enhanced vetting of key managers; additional background investigation; possible FOCI SPA or Proxy Agreement
SCI (Special Access Programs) Level 4 โ€“ SCI Access Most sensitive intelligence and special access programs. Requires separate compartmented access in addition to Top Secret FCL. Top Secret eligibility prerequisite; SAP-specific eligibility adjudication; additional sensitivity review

The SF-328 โ€” Certificate Pertaining to Foreign Interests

The Standard Form 328 (SF-328) is the mandatory form submitted with every Facility Clearance request. It captures information about the company's ownership structure, foreign affiliations, foreign nationals, and any existing or past relationships with foreign entities.

DCSA uses the SF-328 to assess FOCI risk before granting facility clearance. Incomplete or inaccurate SF-328 submissions are one of the top reasons for FCL processing delays. Companies with any foreign ownership โ€” including passive investment, board members, or joint venture partners from foreign countries โ€” must disclose this on the SF-328, even if it seems minor.

FCL vs. PCL โ€” Two Clearances, Not One

Facility Clearance (FCL) is company-level โ€” it authorizes the cleared facility to receive and handle classified information. Personnel Clearance (PCL) is individual-level โ€” it authorizes a specific person to access classified information. Both are required for an individual to work on classified contracts. The facility must have FCL at or above the level of the individual's PCL.

How to Apply for Facility Clearance

  1. Obtain a CAGE code from SAM.gov if you don't already have one โ€” required for all DCSA submissions
  2. Register in the DCSA Portal (see the DCSA Portal Onboarding section below)
  3. Complete SF-328 โ€” disclose all foreign ownership, control, influence, and foreign national involvement
  4. Submit via eFCL in the DCSA Portal โ€” your ISR will review and route for adjudication
  5. Complete FOCI determination if foreign interests are present (see FOCI section)
  6. Receive FCL letter โ€” typically 60โ€“120 days for new applications; existing companies moving from DSS may be faster

FOCI Mitigations

Foreign Ownership, Control, or Influence (FOCI) exists when a foreign person or entity holds a certain percentage of ownership, controls the company through debt or governance rights, or otherwise exerts influence over the company's decisions related to classified information. FOCI does not automatically disqualify a company from receiving facility clearance โ€” but it must be identified, assessed, and mitigated through an approved instrument.

DCSA uses a tiered approach: low-level FOCI may be eligible for a mitigated determination without a formal agreement, while higher-level FOCI requires a formal mitigation instrument approved by DCSA and the relevant Cognizant Security Agency (CSA).

FOCI Categories and Mitigation Instruments

FOCI Level Mitigation Required Governance Impact Approval Body
No FOCI / Mitigated (Low) None required โ€” determination letter issued No restrictions DCSA ISR
Single Principal FOCI Letter of Understanding and Assurance (LOUA) โ€” mitigates influence from a single foreign person or entity Minimal โ€” board reporting and ISR notification requirements DCSA
Proxy Agreement (PA) Proxy Agreement โ€” U.S. citizen proxy makes all FCL-related decisions independently of foreign interest Significant โ€” proxy controls board and executive decisions; foreign owner has no access to classified work decisions DCSA + CSA (if applicable)
Special Security Agreement (SSA) SSA โ€” for companies with substantial foreign investment (typically >5% voting interest from foreign sources in some cases) Governance Committee (GC) required; GC approves all access to classified; foreign owner excluded from GC and classified decisions DCSA + CSA
Restructured Proxy Agreement Restructured PA โ€” modified version for technology companies with complex ownership structures Similar to standard PA with modifications for tech sector DCSA
Board Resolution / Other Mitigation Board resolution or other instrument for specific FOCI scenarios (e.g., foreign national employees in non-sensitive roles) Varies by instrument DCSA ISR

Proxy Agreement

The Proxy Agreement is the most common formal FOCI mitigation instrument for companies with direct foreign ownership or control. Under a Proxy Agreement, a U.S. citizen proxy โ€” often a senior executive with no financial ties to the foreign owner โ€” is granted sole authority to make all decisions related to the company's facility clearance, classified contracts, and security policies.

The foreign owner is effectively walled off from any classified information decisions. The proxy must:

Special Security Agreement (SSA)

The Special Security Agreement is used when a company has foreign investment that creates FOCI but where a full Proxy Agreement is not the best fit โ€” often for companies with multiple foreign investors or complex governance structures. Under an SSA, a Governance Committee (GC) composed of cleared U.S. citizens makes all decisions about classified access and FCL matters. Foreign owners are excluded from the GC and from any role in classified program decisions.

The SSA requires:

FOCI Is Not Disqualifying โ€” But Hiding It Is Fatal

Foreign ownership exists in many defense contractors through institutional investors, venture capital, or strategic partnerships. FOCI is assessed routinely by DCSA and is manageable with the right mitigation instrument. The problem is when companies fail to disclose it. An undisclosed FOCI finding after a facility clearance is granted can result in immediate suspension of FCL and referral for counterintelligence review. Disclose early, mitigate properly.

NISPOM Requirements โ€” What Every Cleared Facility Must Do

The NISP Operating Manual (NISPOM) (32 CFR Part 117, formerly 32 CFR Part 2004) is the authoritative guide to industrial security requirements. Chapter 8 of NISPOM establishes the security requirements that cleared facilities must meet. Key obligations include:

Information Systems Security

Companies that process classified information on IT systems must implement controls consistent with the appropriate security manual (RMP for collateral, ICD 703 for SCI). This includes:

Personnel Security

Physical Security

Security Training and Briefings

All cleared employees must complete initial security awareness training before accessing classified information and annual refresher training thereafter. Records of all training must be maintained.

Classified Contract Handling

Classified contracts involve the creation, handling, storage, and transmission of classified information. The process starts with the contract award package and extends through contract completion and the classified information disposition phase.

DD Form 254 โ€” The Classified Contract Security Requirements Document

The DD Form 254 (Contract Security Classification Specification) is the mandatory document attached to every classified contract. It specifies the classification level and categories of classified information the contractor will access, the security requirements the contractor must meet, and any special handling instructions. The contractor must acknowledge receipt of the DD Form 254 before classified work begins.

DD Form 254 Section What It Covers Contractor Action
Part I โ€” Classification Levels and categories of classified info (e.g., Secret // NOFORN) Verify facility FCL matches required level; confirm your FCL scope covers the categories listed
Part II โ€” Requirements Specific security requirements (IT systems, facilities, personnel) Review against your current security posture; identify gaps before contract start
Part III โ€” Subcontracting Requirements for subcontractor FCL and DD Form 254 flow-down Ensure all subcontracts involving classified information include a DD Form 254 and FCL verification
Part IV โ€” DDTC / Other Agency Requirements Special requirements from other agencies (e.g., DDTC for ITAR-related classified) Coordinate with applicable agency on additional requirements; don't assume NISPOM alone is sufficient

Classified Subcontracting Flow-Downs

Prime contractors are responsible for ensuring that classified requirements are properly flowed to subcontractors. For every subcontract involving classified information, the prime must:

Related: ITAR Compliance

Many classified contracts involving defense articles also trigger ITAR (International Traffic in Arms Regulations) obligations. ITAR classified contracts require coordination between DCSA (NISP) and DDTC (Directorate of Defense Trade Controls) requirements. See DefenseBizStack's full ITAR Compliance for Manufacturers guide for export control requirements that run alongside your NISP obligations.

Contract Completion and Classified Information Disposition

When a classified contract ends, classified information must be properly dispositioned โ€” returned to the government, destroyed, or transferred to another cleared facility under authorization. NISPOM specifies requirements for:

DCSA Portal Onboarding

The DCSA Portal (at dcsa.mil) is the central system for all facility-level interactions with DCSA. It replaced the legacy DSS systems (e.g., eQIP, eFCL) and provides a unified interface for FCL management, reporting, training records, and ISR communications.

Getting Access to the DCSA Portal

Registration requires establishing an account and role-based access for your company's cleared facility:

  1. Identify your Facility Security Officer (FSO) โ€” the primary point of contact with DCSA; must be a U.S. citizen with appropriate clearance
  2. Create a DCSA Portal account at dcsa.mil using your company CAGE code and DUNS number
  3. Complete Identity Proofing (IDP) โ€” remote identity verification process required for all portal users with access to classified information
  4. Request role-based access โ€” FSO, ISSO, Document Control, Visitor Control, and other roles each have separate access requests
  5. Wait for ISR approval โ€” your assigned ISR approves role access requests; typical processing 5โ€“10 business days
  6. Complete FSO training โ€” DCSA requires FSO training completion within 90 days of appointment (FSO Level 1 and Level 2 training courses)
DCSA Portal Key Modules

The DCSA Portal houses several subsystems you will use regularly: eFCL for facility clearance applications and status tracking; NISS (National Industrial Security System) for incident reporting and security reporting; STEPP for security training tracking; and the classified contract portal for DD Form 254 management and classified contract reporting.

Ongoing DCSA Portal Obligations

Once onboarded, your company must maintain active portal access and submit required reports:

Report / Activity Frequency Portal System
Annual Self-Inspection Annually (within 12 months of FCL grant, then each year) NISS / eFCL
Key Manager Change Notification Within 30 days of any key manager change eFCL
FOCI Status Change Notification Immediately upon any change in foreign ownership or control eFCL (amended SF-328)
Security Incident Report Per NISPOM timelines (often 24โ€“72 hours for serious incidents) NISS
Visitor Control / Foreign Visit Authorization Prior to each foreign national visit involving classified access DCSA Portal Visitor module
Security Training Records Updated within 30 days of any training completion STEPP
Classified Material Accountability Ongoing โ€” inventory checks quarterly, annual full inventory NISS (media accountability module)

Step-by-Step NISP Compliance Roadmap

Whether you're seeking initial facility clearance or maintaining an existing FCL, here's a practical roadmap for staying compliant with DCSA NISP requirements.

Maintaining NISP Compliance After Clearance

Receiving facility clearance is the starting point, not the finish line. DCSA conducts ongoing oversight through your Industrial Security Representative (ISR) and requires continuous compliance across several areas:

ISR Visits and Inspections

Your assigned ISR will conduct periodic facility inspections โ€” typically annual for new or high-risk facilities, biennial for stable, lower-risk cleared facilities. Inspections review physical security, information systems security, personnel security practices, and FCL record-keeping. Preparation for ISR visits should be ongoing, not last-minute.

Annual Self-Inspection

Every cleared facility must complete an annual self-inspection and submit the results via the DCSA Portal. The self-inspection verifies continued compliance with all applicable NISPOM requirements and provides DCSA with a compliance status overview without requiring an on-site visit.

Key Personnel Requirements

Changes in key managers โ€” FSO, CEO, or other senior leadership โ€” must be reported to DCSA within 30 days. New key managers must complete background investigation requirements and in some cases may require DCSA approval before assuming their role in a cleared facility.

FOCI Monitoring

If your FOCI is mitigated through a formal agreement (Proxy Agreement, SSA, etc.), you have ongoing obligations including annual compliance certifications, governance committee meeting records, and reporting of any changes to the foreign ownership structure. Failure to maintain these obligations can trigger FCL suspension.

Bottom Line

DCSA NISP compliance is a year-round commitment, not a one-time event. The key to smooth operations: a proactive FSO, current DCSA Portal access, a clean SF-328, a clear FOCI mitigation plan if applicable, and documented evidence of ongoing compliance for every ISR visit. Start your DCSA Portal onboarding early, maintain your annual self-inspection schedule, and report changes before they become problems.

How DefenseBizStack Helps With NISP Compliance

DefenseBizStack provides tools and guidance that support your NISP compliance journey โ€” from initial FCL application preparation through ongoing facility maintenance.

Tool / Resource NISP Use Case
DCSA NISP Compliance Guide This guide โ€” comprehensive coverage of FCL tiers, FOCI mitigations, classified contracts, and DCSA Portal onboarding.
ITAR Compliance Guide Complementary coverage of ITAR export controls that often run alongside classified NISP requirements โ€” especially relevant for companies with both classified contracts and ITAR-controlled defense articles.
CMMC Phase 2 Compliance Guide CUI cybersecurity requirements that run alongside your NISP obligations. Many classified facilities also handle CUI and need both programs.
SPRS Score Calculator Assesses your NIST 800-171 posture โ€” a key component of DFARS compliance that DCSA and CMMC both reference for contractor cybersecurity readiness.
NIST 800-171 Compliance Guide Detailed control-by-control guidance for NIST 800-171, which forms the cybersecurity baseline expected by DCSA for facilities handling both CUI and classified information.

Stay Compliant Across Defense Regulations

DefenseBizStack covers DCSA NISP, CMMC Phase 2, ITAR, and all the major defense compliance frameworks in one place. Start free โ€” no account required.

Explore DefenseBizStack โ†’

[AI-GENERATED] Content generated with AI assistance. DCSA NISP requirements are subject to change. Verify all regulatory claims against current DCSA policy at dcsa.mil and consult your assigned Industrial Security Representative (ISR) before making compliance decisions.